The silent door most small businesses leave unlocked
Stolen credentials are the top hacking method in 33 percent of small-business breaches, according to Zip Security’s analysis of the Verizon 2025 Data Breach Investigations Report. That number is virtually identical to the 32 percent rate at large enterprises. Small businesses are not too small to target. They are too easy to target.
The Verizon DBIR 2025 examined over 22,000 security incidents and 12,195 confirmed breaches, the largest dataset in the report’s 18-year history. Stolen credentials appeared in 22 percent of all confirmed breaches. That figure is down from 31 percent the prior period, but the raw number of credential-driven attacks has not declined in absolute terms. Attackers have simply added new methods on top of the old ones.
What has not changed: most small businesses still have not deployed basic multi-factor authentication.
The adoption gap
A global survey of 1,403 small business owners conducted by the Cyber Readiness Institute found that only 46 percent had implemented MFA at all. Just 13 percent required its use for employee access to most accounts or applications. Nearly half, 49 percent, merely encouraged MFA when available. Among those offering it, only 46 percent provided any employee training on why it matters.
More recent data suggests the picture is worse at the smallest end. According to the LastPass 2026 analysis of MFA adoption, citing DBIR and industry data: only 27 percent of small businesses with 25 or fewer employees have adopted MFA. Only 34 percent of medium-sized businesses have done so. And 55 percent of small business owners are not very aware of MFA or its security benefits.
Put simply: roughly three out of four small businesses are still relying primarily on usernames and passwords to protect employee, customer, and partner data.
What MFA actually stops, and what it does not
The good news is that MFA works when it is deployed correctly. According to guidance cited by CISA and Zip Security, MFA can block 100 percent of automated bot attacks and 99 percent of bulk phishing attacks. It is the single most effective control against credential theft.
The bad news: not all MFA is created equal, and the methods most small businesses deploy first are the ones attackers have learned to defeat.
| MFA Method | Protection Level | Known Vulnerabilities |
|---|---|---|
| FIDO2 hardware keys / passkeys | Phishing-resistant (highest) | None at scale. Private key never leaves device. |
| Platform authenticators (Touch ID, Windows Hello) | Phishing-resistant (highest) | None at scale. |
| Authenticator apps with push + number matching | Moderate (Tier 2 per CISA CPG v2.0) | Vulnerable to AiTM relays that forward the matching number in real time. |
| SMS codes | Low (last resort per CISA) | Vulnerable to SIM swaps, SS7 protocol exploitation, and AiTM attacks. |
Microsoft reported a 146 percent increase in Adversary-in-the-Middle (AiTM) attacks in 2024. These attacks use phishing kits, at least 11 are commercially available, including Tycoon 2FA, EvilProxy, and Mamba, rentable for a few hundred dollars per month, to proxy both credentials and MFA codes to the real service in real time. The user sees a successful login. The attacker walks away with a session cookie that grants persistent access.
SMS codes and TOTP authenticator codes cannot stop this. Only phishing-resistant methods, FIDO2 hardware keys, passkeys, and platform authenticators, cryptographically bind authentication to the legitimate domain, making fake login pages fail the handshake entirely.
The parts of digital identity most MSPs ignore
MFA is the headline. But digital identity security has layers that most small businesses never discuss with their IT providers. Here is what a competent MSP should be doing beyond “turn on MFA for email.”
1. Disable legacy authentication protocols
Legacy protocols like IMAP, POP3, and SMTP AUTH authenticate before the identity provider can insert an MFA challenge. Microsoft found that legacy authentication accounts for over 97 percent of credential stuffing attacks and over 99 percent of password spray attacks. If a mailbox still has IMAP enabled, an attacker can try thousands of stolen passwords per hour without ever triggering an MFA prompt. Turning on MFA while leaving legacy protocols active is like locking the front door and leaving the basement window open.
2. Enforce MFA on email, remote access, and admin accounts
Most small businesses enable MFA for email and their primary identity provider, then stop. CISA requires MFA for all remote access to the organization’s network and for all privileged or administrative access. Cyber insurers are now following suit. Coalition offers deductible discounts when MFA is required on business email. Corvus requires MFA on remote, email, and admin access as a condition of binding the policy.
3. Implement email authentication (SPF, DKIM, DMARC)
Digital identity is not just about how your employees log in. It is also about whether the emails your business sends are actually from your business. SPF, DKIM, and DMARC are the three protocols that prevent attackers from spoofing your domain. Starting May 5, 2025, Microsoft requires DMARC, SPF, and DKIM for all emails sent to Outlook, Hotmail, and Live accounts. Businesses sending more than 5,000 emails in a single day, which includes many small businesses running a single marketing campaign, must comply or face deliverability failures.
4. Audit exception lists and service accounts
Every MFA rollout creates exceptions: temporary exclusions for vendor accounts, service accounts that cannot complete an MFA challenge, legacy application integrations. The UK’s NCSC calls the accumulation of permanent exceptions without expiration dates an “MFA anti-pattern”. If your MSP cannot tell you how many accounts are exempt from MFA and when those exemptions expire, your MFA deployment has gaps.
5. Monitor connected SaaS applications
Every SaaS app connected via a work login is a potential entry point. The August 2025 Salesloft-Drift breach (tracked as UNC6395) saw attackers steal OAuth tokens from a chatbot integration and use them to access over 700 Salesforce orgs, then expand to Slack, Google Workspace, and Amazon S3. The list of companies affected read like a who’s who of the security industry: Zscaler, Cloudflare, Palo Alto Networks, Google, Tenable, Proofpoint, BeyondTrust, Bug Crowd, and CyberArk. If your IT provider cannot show you which third-party apps have active access to your systems, you are trusting every vendor’s security by default.
What to ask your IT provider
Do not accept “we have MFA enabled” as a complete answer. Ask these specific questions:
- What MFA methods are deployed, and are any accounts still protected only by SMS?
- Have legacy authentication protocols (IMAP, POP3, SMTP AUTH) been disabled on all mailboxes?
- What accounts are exempt from MFA, and when do those exemptions expire?
- Is DMARC configured and enforced (not just set to p=none) for our domain?
- Can you provide a list of third-party SaaS applications with active access to our systems?
- When did you last audit our MFA deployment for coverage gaps?
If your provider cannot answer these questions clearly and promptly, they are managing MFA as a checkbox, not as a security practice.
The bottom line
Stolen credentials are not a theoretical risk. They are the most common attack vector against small businesses, they fuel the majority of business email compromise and ransomware claims, and the attackers’ tools are getting cheaper and more effective every quarter. MFA, properly deployed, with phishing-resistant methods for privileged accounts, legacy protocols disabled, and exception lists audited, is the single highest-return security investment a small business can make.
The question is not whether your business can afford to implement MFA. The question is whether you can afford to keep relying on passwords alone while attackers rent AiTM phishing kits for a few hundred dollars a month.
Frequently asked questions
Is SMS-based MFA better than nothing?
SMS is better than no second factor, but it is the weakest form of MFA. SIM swaps and SS7 protocol attacks can intercept SMS codes. CISA recommends SMS only as a last resort when stronger options are unavailable. If your IT provider’s MFA deployment relies primarily on SMS, ask them to upgrade to authenticator apps or passkeys.
How much does proper MFA deployment cost?
Authenticator apps are free. FIDO2 hardware keys cost $25 to $50 per employee. Passkeys have no additional per-user cost on most modern identity providers. The real cost is not the tools. It is picking the wrong method and re-enrolling the entire company six months later when you discover it does not stop modern attacks.
What is the difference between MFA and passkeys?
Passkeys are a specific type of phishing-resistant authentication built on the FIDO2/WebAuthn standard. Instead of a password plus a code, the user’s device holds a private key that never leaves the hardware. The server holds only the public key. There is nothing for an attacker to intercept or relay. The FIDO Alliance reports that over 1 billion people have activated at least one passkey, and over 15 billion online accounts now support them.
Why does disabling legacy email protocols matter for MFA?
Legacy protocols like IMAP and POP3 authenticate before the identity provider can require an MFA challenge. Attackers use these protocols to run credential stuffing and password spray attacks that bypass MFA entirely. Microsoft found that over 97 percent of credential stuffing attacks use legacy authentication.
How do I know if my MSP is actually managing our digital identity, or just checking a box?
Ask for documentation. A competent MSP can show you which MFA methods are deployed per account, which legacy protocols are disabled, what your DMARC policy is set to, how many accounts are exempt from MFA, and when those exemptions were last reviewed. If they cannot produce this information, they are not managing it.
About the author
Brent Lacy is the author of Rewired MSP: Mastery, Scalability and Performance, vCIO Rewired: Virtually Conquering IT Obstacles, and Near Miss: Preventable IT Failures Threatening Your Business. With over 20 years in the managed services industry, Brent writes about building MSPs that put client outcomes ahead of revenue extraction. His work focuses on trust-based partnerships, documented processes, and the operational discipline that separates MSPs built to last from those built to bill.
Related articles
- Is Your IT Provider Securing Your DNS? What Business Owners Need to Know
- Backup Is Not Business Continuity: The Crucial Difference
- Is Your IT Provider Giving Users Too Many Rights?
Sources:
- Zip Security, “MFA for Small Business: How to Deploy Multi-Factor Authentication Across Every Employee”. Cites Verizon DBIR 2025 (22% of all breaches involve stolen credentials; 33% of small-business breaches), CISA (MFA blocks 100% of bot attacks, 99% of bulk phishing), Microsoft (97%+ of credential stuffing uses legacy auth), NCSC MFA anti-patterns, Coalition/Corvus insurance requirements. Retrieved June 2026.
- Smarter MSP (Mike Vizard), “MSPs Will Need to Drive MFA Adoption for Small Businesses”. Cites Cyber Readiness Institute global survey of 1,403 small business owners: 46% implemented MFA, 13% require it for most accounts, 55% not very aware of MFA benefits. Published July 13, 2022. Retrieved June 2026.
- LastPass Blog (Shireen Stephenson), “MFA in 2026: When Yesterday’s Multi-Factor Authentication Isn’t Enough”. Updated March 12, 2026. Cites DBIR 2025 data: 27% of small businesses (25 or fewer employees) have adopted MFA, 34% of medium businesses. Reports 146% increase in AiTM attacks in 2024, 11+ commercially available AiTM phishing kits, Salesloft-Drift breach (UNC6395) affecting 700+ Salesforce orgs. Retrieved June 2026.
- CISA, “Require Multifactor Authentication”. Official U.S. government guidance requiring MFA for all remote access and privileged/administrative access. Retrieved June 2026.
- Mimecast, “Microsoft Implements Strict DMARC, SPF, and DKIM Policies”. Covers Microsoft’s May 5, 2025 requirement for DMARC, SPF, and DKIM on all emails to Outlook/Hotmail/Live accounts. Retrieved June 2026.
